Date: Mon, 1 Feb 2016 16:32:55 +0100
From: Gerhard Rieger <gerhard@...t-unreach.org>
To: oss-security@...ts.openwall.com
Subject: Socat security advisory 7 - Created new 2048bit DH modulus
Socat security advisory 7 - Created new 2048bit DH modulus
Overview
In the OpenSSL address implementation the hard coded 1024 bit DH p
parameter was not prime. The effective cryptographic strength of a key
exchange using these parameters was weaker than the one one could get by
using a prime p. Moreover, since there is no indication of how these
parameters were chosen, the existence of a trapdoor that makes possible
for an eavesdropper to recover the shared secret from a key exchange that
uses them cannot be ruled out.
A new prime modulus p parameter has been generated by Socat developer
using OpenSSL dhparam command.
In addition the new parameter is 2048 bit long.
Vulnerability Ids:
Socat security issue 7
MSVR-1499
Severity: Unknown
Affected versions
1.7.3.0
2.0.0-b8
Not affected or corrected versions
1.0.0.0 - 1.7.2.4
1.7.3.1 and later
2.0.0-b1 - 2.0.0-b7
2.0.0-b9 and later
Workaround
Disable DH ciphers
Download
The updated sources can be downloaded from:
http://www.dest-unreach.org/socat/download/socat-1.7.3.1.tar.gzhttp://www.dest-unreach.org/socat/download/socat-2.0.0-b9.tar gz
Acknowledgments
Santiago Zanella-Beguelin and Microsoft Vulnerability Research (MSVR).
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]